show the entry list
Triggering Fail-safe Actions on the Basis of Non-safety HMI
Part number:
Task (general)
Many industrial automation solutions comprise data structures in which a control station communicates with various substations:


Figure 01: Task (general)

The control station can select one or several substations to execute various actions there (specify setpoints, request actual values, etc.). The selection of these substations is often made via an HMI (panel).

Task (specific)
The general requirements described above are now to apply to the following safety-related task:

  • A substation is to be selected via an HMI (panel) of the control station.
  • An emergency stop triggered in the control station is to affect the selected substation only.
  • SIL 3 in accordance with IEC 62061 is to be achieved.

Thus, a fail-safe action (triggering of an emergency stop) is required, which is based on a not safe action (selection of the substation via a non-safety HMI).


Figure 02: Fail-safe action on the basis of a non-safety HMI

For this safety-related task, additional measures are required as compared with the general task.

Solution  
The following solution concept has been realized:

From the HMI of the control station, the substation (here in the following figure 3) is selected via a button. A signature (ABC) is transmitted to the F-CPU of the control station (path 1).

Via a second button, a masked signature (ABC-1) is transmitted to the F-CPU of the selected substation (path 2). In the F-CPU of the substation, the transmitted signature is demasked again (ABC+1) and compared for equality with a signature setpoint placed in the substation. In the case of equality the signature is transmitted, in the case of unequality an error information, by fail-safe communication via a S7 connection to the F-CPU of the control station (path 2).

In the F-CPU of the control station, the signatures received via path 1 and path 2 are compared for equality. In the case of equality, the correct substation has been selected.


Figure 03: Solution concept

Practical application options
The requested concept of allowing a fail-safe action on the basis of a non-safety HMI can be applied in various applications, e.g.:

  • Ship locks and weirs
    - Fail-safe actions can be triggered from a spatially far off (several kilometers) control station, affecting solely selected substations.
  • Selection of various (container) cranes from the driver's cab

What does this safety function example offer?
This STEP 7 project comprises

  • the safety concept implemented in the program of the three F-CPUs (control station, substation 1, substation 2). In each F-CPU, the F-program is clearly programmed in a state machine.
  • the fail-safe communication via an S7 connection (F_SENDS7 / F_RCVS7).
  • prepared visualization user interfaces in WinCC flexible for the control station and the two substations.


Figure 04: Prepared visualization user interface for the control station

The documentation (PDF) explains in detail the implemented safety concept and the implementation in the program of the HMI and in the STEP 7 program.

Achieved SIL in accordance with IEC 62061
The documentation (PDF) explains in detail the standards calculations made and demonstrates that SIL 3 in accordance with IEC 62061 is achieved.

Advantages
This safety function example offers the following advantages:

  • Application of a safety concept on the basis of the use of a non-safety HMI in order to realize a safety function
  • Tested code
  • Step-by-step instructions
  • Detailed description of the safety concept with background information
  • Modular program structure including a state machine
  • Defined interfaces
  • Detailed standards calculation

Benefit
For you, these advantages mean the following:

  • Simple realization of safety functions
  • Transferability of the safety concept to a wide range of applications
  • Shorter training period
  • Simple expandability
  • Support for proofing compliance with the requirements of IEC 62061

Downloads
Content of the downloads

Download

Documentation (english) 59012254_non_safety_hmi_v10_en.pdf ( 2024 KB )
Code  59012254_non_safety_hmi_v10.zip ( 5905 KB )

Security Notice
Caution
The functions and solutions described in this article confine themselves to the realization of the automation task predominantly. Please take into account furthermore that corresponding protective measures have to be taken up in the context of Industrial Security when connecting your equipment to other parts of the plant, the enterprise network or the Internet. Further information can be found under the Entry-ID 50203404.

Last Changes
First issue

Additional Keywords
Safety Integrated, Distributed Safety, failsafe, boat lift, ship lift, ship hoist

Filter criteria:
Hardware platform: SIMATIC S7-300/S7-400
Software: Distributed Safety
Entry contents: Application Examples
 Entry ID:59012254   Date:2012-03-30 
I regard this article....as helpfulas not helpful                                 
Print  
    © Siemens AG 2013 - Corporate Information - Privacy Policy - Terms of Use
mySupport
All personal data, information and functions at a glance - e.g.
My Documentation Manager 
Newsletter 
CAx-Download-Manager 
Support Request
Contact
Support Request
Contacts worldwide
Technical Forum
Login VIP e-mail box
QuickLinks
Compatibility tool 
Performance Data 
Micro Automation Sets
Help
Online Help
Guided Tour